Received HTTP/0.9 when not allowed with http2 feature

[ehuss]

The most recent release of curl-sys v0.4.57+curl-7.85.0 seems to have introduced a problem where curl is failing with the error Received HTTP/0.9 when not allowed. The following test illustrates the problem:

#[test]
fn simple() -> Result<(), curl::Error> {
    let mut curl = Easy::new();

    curl.url("https://github.com/")?;
    curl.write_function(|data| {
        eprintln!("Got {} bytes", data.len());
        Ok(data.len())
    })?;
    curl.useragent(&format!("curl-rust 0.4.44"))?;
    curl.perform()?;
    let code = curl.response_code()?;
    eprintln!("finished with {:?}", code);

    Ok(())
}

Building on GitHub Actions with Windows (2019 or 2022 doesn't matter), with --features http2 causes this to fail. The destination site doesn't seem to matter.

I haven't been able to narrow it down more. Also, I cannot reproduce on my on Windows system which is somewhat confusing.

[ehuss]

I have confirmed that this issue starts with curl/curl#8419.

[ehuss]

Confirmed that this requires Windows 11 or Windows Server 2022. There is some runtime detection for the Windows version, as there were issues with the TLS 1.3 implementation in Windows 10.

    /* Windows Server 2022 and newer (including Windows 11) support TLS 1.3
       built-in. Previous builds of Windows 10 had broken TLS 1.3
       implementations that could be enabled via registry.
    */

I haven't been able to make any breakthroughs. I tried building curl from source along with nghttp2, but I couldn't directly reproduce. Building C code on Windows is quite challenging, so I'm not certain I did it correctly.

I tried updating to a newer version of nghttp2, but that didn't seem to help.

[ehuss]

Submitted upstream curl/curl#9451 as I'm able to repro outside of Rust.

@sagebind or @alexcrichton, I was wondering if you'd be willing to yank 0.4.57? This is causing problems with Cargo (essentially nothing works on Windows 11 or Windows Server since we build with nghttp2).

We could also update to 7.84 which doesn't have the problem (curl-sys jumped from 7.83 to 7.85, and 7.85 contains the issue), until we figure out exactly what is going on.

[alexcrichton]

Sure yeah, I yanked [email protected]+curl-7.85.0. I know that the release was also done for a few CVEs in curl so @sagebind feel free to unyank if you feel like it's more important to get the CVE fixes out there.

[sagebind]

It appears that the curl bug was introduced in 7.85.0, so I suppose one option would be to just upgrade to 7.84.0 and at least get some of the CVE fixes out there. Though I'm not sure its really worth that depending on how quickly the issue will be fixed upstream.

[ehuss]

Closing as this has now been fixed.

Unfortunately there is another schannel issue (curl/curl#9431). In Cargo, I decided to disable TLS 1.3 on Windows to avoid it. I'm not sure how much of an impact it will have on other curl-rs users. In my experiments, that issue only triggered when fetching very small files.